Carphone Warehouse has been issued with one of the largest fines to be doled out by the Information Commissioner's Office (ICO) after one of its computer systems was compromised as a result of a cyber-attack in 2015.

The company's failure to secure the system allowed unauthorised access to the personal data of more than three million customers and 1,000 employees.

That of employees included names, phone numbers, postcode and car registrations. The data was accessed using valid login credentials via out-of-date WordPress software.

As a result, Carphone Warehouse has been ordered to pay £400,000 by the ICO, which deemed that the data involved would significantly affect individuals' privacy, leaving their data a risk of being misused. The watchdog identified “multiple inadequacies” in the company's approach to data security.

“A company as large, well-resourced and established as Carphone Warehouse should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks,” information commissioner Elizabeth Denham said.

“Carphone Warehouse should be at the top of its game when it comes to cyber-security, and it is concerning that the systematic failures we found related to rudimentary, commonplace measures.”

Read More

The fine matches that given to TalkTalk in October 2016 after security failings allowed a cyber-attacker to access customer data. The ICO acknowledged that in the case of Carphone Warehouse, there has been no evidence to date that data has resulted in identity theft or fraud.

From 25 May, more stringent rules on data protection are coming into effect as part of the General Data Protection Regulation (GDPR). This will give the ICO the power to impose significantly increased fines up to a maximum of €20m or 4 per cent of global turnover.